What is JWT ?
JSON Web Token(JWT) is an open standard(RFC 7519) that defines secure transmission of information between between two parties as a JSON object. JWTs can be signed using a public/private key pair using RSA algorithm and that's why the information shared between two parties is verified and secured.
When should you use JWTs?
There are basically two scenarios where JSON web tokens are useful:
Authorization:
This is the most common use-case of JWT. When user is logged in, each subsequent request will include a JWT token which allows the user to access routes, services, & resources that are permitted with the token.Information Exchange:
JWTs provide a secure way to share sensitive information between two parties. JWTs can be signed using public/private key pairs & that's why you can be sure about the senders who they say they are.
Structure of JWT
JWT consists of three parts separated by dots( . ),
Header
Payload
Signature
Header.Payload.Signature
Header
The header consists of two parts such as the type of the token and the signing algorithm. The type of the token is JWT. The algorithms used are HMAC, SHA256 or RSA.
example:
{
"alg": "HS256",
"typ": "JWT"
}
Payload
The payload contains the claims such as the statements about an entity and additional data. There are three types of claims -
Registered claims (iss, exp, sub, aud, etc).
Public claims.
Private claims.
example:
{
"sub": "1001",
"iat": 1894561234,
"name": "Sagnik ghosh",
"admin": true
}
Signature
The signature is the most important part of a JWT which is calculated by encoding the header, the payload and a secret using encoding techniques like Base64url or HMACSHA256.
example:
For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
{
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
}
If you want to play with JWT, you can go to jwt.io and get your hands dirty.
How JWT works?
In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned.
Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema.
Authorization: Bearer <token>
- The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.
Advantages of using JWT
As JSON is more verbose than XML, so, when it is encoded it's size becomes smaller and more compact, which makes JWT better than SAML(Security Assertion Markup Language Tokens) which is another standard for secure transmission of data between two parties.
Signing JSON with digital signature is much easier which makes the process of validating the signature more simpler.
JSON parsers are common in most programming languages because they map directly to objects. This makes it easier to work with JWT.
Security issues
Signed tokens though protected against tampering, is readable by anyone. So, any secret information should not be put inside the payload or header elements of a JWT unless it is encrypted.
HTTPS must be used to secure the Authorization headers.
When a JWT token is assigned, it is set to automatically expire after some time. But if an attacker gets the token before it expires then, that leads to various exploits. So, one must build a token revocation list on the server to invalidate tokens in order to protect the system from such attacks.
Top comments (0)